summaryrefslogtreecommitdiffstats
path: root/doc/wiki/Authentication.RestrictAccess.txt
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
commitf7548d6d28c313cf80e6f3ef89aed16a19815df1 (patch)
treea3f6f2a3f247293bee59ecd28e8cd8ceb6ca064a /doc/wiki/Authentication.RestrictAccess.txt
parentInitial commit. (diff)
downloaddovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.tar.xz
dovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.zip
Adding upstream version 1:2.3.19.1+dfsg1.upstream/1%2.3.19.1+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/wiki/Authentication.RestrictAccess.txt')
-rw-r--r--doc/wiki/Authentication.RestrictAccess.txt85
1 files changed, 85 insertions, 0 deletions
diff --git a/doc/wiki/Authentication.RestrictAccess.txt b/doc/wiki/Authentication.RestrictAccess.txt
new file mode 100644
index 0000000..b24be44
--- /dev/null
+++ b/doc/wiki/Authentication.RestrictAccess.txt
@@ -0,0 +1,85 @@
+Restricting Access
+==================
+
+Restricting IMAP/POP3 access
+----------------------------
+
+Below examples show how you can give POP3 access to everyone, but IMAP access
+only for some people. The exact solution you want depends on what passdb you
+use. The solutions can also be modified for other types of IMAP/POP3/SMTP/etc.
+access checks.
+
+PAM
+---
+
+Set PAM service name to '%s', ie.:
+
+---%<-------------------------------------------------------------------------
+passdb {
+ driver = pam
+ args = %s
+}
+---%<-------------------------------------------------------------------------
+
+That way PAM uses '/etc/pam.d/imap' for IMAP, and '/etc/pam.d/pop3' for POP3.
+
+In '/etc/pam.d/imap' you could then use eg. the pam_listfile.so module:
+
+---%<-------------------------------------------------------------------------
+# allow IMAP access only for users in /etc/imapusers file
+auth required pam_listfile.so item=user sense=allow
+file=/etc/imapusers onerr=fail
+---%<-------------------------------------------------------------------------
+
+SQL
+---
+
+You can use the '%s' variable which expands to 'imap' or 'pop3' in
+'password_query', eg:
+
+---%<-------------------------------------------------------------------------
+password_query = SELECT password FROM users WHERE userid = '%u' and not
+(imap_allowed = false and '%s' = 'imap')
+---%<-------------------------------------------------------------------------
+
+LDAP
+----
+
+Just like with SQL, you can use '%s' in pass_filter, eg.:
+
+---%<-------------------------------------------------------------------------
+pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s))
+---%<-------------------------------------------------------------------------
+
+That would require setting both service=pop3 and service=imap attributes to the
+user objects.
+
+passwd-file
+-----------
+
+You can create a deny passwd-file based on the service:
+
+---%<-------------------------------------------------------------------------
+passdb {
+ driver = passwd-file
+ args = /etc/dovecot/deny.%s
+ deny = yes
+}
+---%<-------------------------------------------------------------------------
+
+This makes Dovecot look for '/etc/dovecot/deny.imap' and
+'/etc/dovecot/deny.pop3' files. If the user exists in it, the access is denied.
+The files don't need to have anything else than one username per line.
+
+Note that this deny passdb must be before other passdbs. It also means that it
+can be used with any other passdb, not just with passwd-file passdbs.
+
+Restricting IP Access
+---------------------
+
+It's possible to allow a user to authenticate only from a specific IP or
+network. This is especially useful for master users. This can be done by
+returning <allow_nets> [PasswordDatabase.ExtraFields.AllowNets.txt] extra field
+in passdb.
+
+(This file was created from the wiki on 2019-06-19 12:42)